North Korea-linked hackers spread malware via KakaoTalk

A hacking group known as Konni, believed to be linked to North Korea, has been carrying out a multistage cyber campaign that spreads malware by combining spear-phishing emails with the KakaoTalk messaging platform, cybersecurity researchers said.

According to cybersecurity firm Genians, the group continues to conduct advanced persistent threat (APT) operations, a tactic in which attackers single out specific targets and pursue long-term infiltration until the breach succeeds. The latest campaign is notable for using the KakaoTalk PC application on compromised computers as a pathway to spread malicious files.

The attack begins with a spear-phishing email crafted to appear legitimate. The message contains a malicious shortcut file with an LNK extension. When the recipient opens the file, a concealed script runs in the background and infects the computer.

Once inside the system, the attackers remain hidden for an extended period while extracting internal documents and account credentials. They then gain unauthorized access to the victim’s KakaoTalk PC application.

Investigators said the hackers select specific contacts from a victim’s friend list and resend malware disguised as files, including what appears to be a proposal for a North Korea-related video project. The tactic allows the attackers to widen their campaign by exploiting trusted messaging connections.

Experts said stronger user education is needed to help people remain alert to suspicious shortcut files or attachments that appear to be official documents.


한채연 기자 chaezip@donga.com